Micro Focus Application Automation Plugin 6.9
after installing your plugin, we are faced with a big security issue.
in order to use the plugin we are required to enter ALL the users and their password in the Jenkins Configure System screen.
this causes us:
- the need to have jenkins administrative access server to change/add/remove users.
- the need to have jenkins administrative access to change a password for a user.
- a problem in which any user with access to the jenkins server can choose any pre-defined user to access the ALM server (since it is configured in the server level, and not in the job level) - THIS IS THE SECURITY PROBLEM....
I would expect you to use the credentials system embedded in the jenkins server in order to be able to receive the credentials on the job/script level (like almost any other plugin).
- each user can only access the credentials he is allowed.
- each user can add/change/remove credentials without jenkins administrative privilege but only with credential privilege.
- other users in the system are not exposed to credentials they are not allowed to see.
I'm available to provide any needed information regarding this issue.
|Field||Original Value||New Value|
|Assignee||radislav [ JIRAUSER130913 ]||Dorin Bogdan [ JIRAUSER132181 ]|
|Summary||SECURITY BREACH - ability to use other user credentials||Credential handling should be more fine-grained|
|Priority||Critical [ 2 ]||Major [ 3 ]|
|Issue Type||Bug [ 1 ]||New Feature [ 2 ]|
|Status||Open [ 1 ]||In Progress [ 3 ]|
|Resolution||Fixed [ 1 ]|
|Status||In Progress [ 3 ]||Fixed but Unreleased [ 10203 ]|
|Status||Fixed but Unreleased [ 10203 ]||Closed [ 6 ]|